TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It was launched in March 2003 and had been sponsored by NTT DATA Corporation, Japan until March 2012.
TOMOYO Linux focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, TOMOYO Linux allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, TOMOYO Linux acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.
Fix 2006/02/21
@ Divide generic-write permission into individual write permissions.
Write permission was divided into the following permissions.
'mkdir' for creating directory.
'rmdir' for deleting directory.
'create' for creating regular file.
'unlink' for deleting non-directory.
'mksock' for creating UNIX domain socket.
'mkfifo' for creating FIFO.
'mkchar' for creating character device.
'mkblock' for creating block device.
'link' for creating hard link.
'symlink' for creating symbolic link.
'rename' for renaming directory or non-directory.
'truncate' for truncating regular file.
The permission check for opening files is done using
conventional read/write/execute permission.
@ Add /proc/ccs/info/mapping.
I added /proc/ccs/info/mapping so that the userland programs
can know the mapping of individual write permissions.
Fix 2006/02/27
@ Fix handling of trailing '\*' in PathMatchesToPattern().
PathMatchesToPattern("/tmp/", "/tmp/\*") returned true
because "\*" matches to "more than or equals to 0 character
until '/' or end". But since this is a comparison between
directory and non-directory, this should not match.
This behavior causes the following security risks.
In enforce mode, allowing "2 /tmp/\*" grants
"mkdir /tmp/" and "rmdir /tmp/" which should be
granted only when "2 /tmp/" is allowed.
In accept mode, "mkdir /tmp/" or "rmdir /tmp/" appends
"2 /tmp/\*" into the domain policy if "file_pattern /tmp/\*"
is in the exception policy.
I changed not to ignore trailing '\*' in the pattern
if pathname ends with '/'.
Fix 2006/03/01
@ Add missing spinlock in GetAbsolutePath().
vfsmount_lock was missing.
Fix 2006/03/08
@ Add support for "shared subtree" mount operations.
Kernel 2.6.15 introduced "shared subtree" functionality.
But CheckMountPermission() couldn't recognize flags for
do_change_type().
@ Add support for more mount flags.
atime/noatime, diratime/nodiratime, recurse/norecurse flags
are supported.
Fix 2006/03/20
@ Check port numbers for only AF_INET/AF_INET6.
CheckBindEntry() and CheckConnectEntry() should check port numbers
only when the given address family is either AF_INET or AF_INET6,
for address family such as AF_UNSPEC could be passed to bind()
and connect() for PF_INET/PF_INET6 sockets.
Fix 2006/03/27
@ Use /proc/self/ rather than /proc/\$/ for current process.
GetAbsolutePath() now uses "self" instead of pid
if current process refers to information related to itself.
This exception violates the rule "TOMOYO Linux's pathnames don't
contain symbolic links before the last '/'", but I think it worth
to do so. The following are the merits gained by this exception.
Prevent administrators from granting redundant permissions
when a process needs to refer to only current process's information.
Allow administrators make current process's information always
readable using 'allow_read' directive.
Version 1.1 2006/04/01 Functionality enhancement release.